Base solution for your next web application
Open Closed

SecurityTokenExpiredException reported in Azure #10625


User avatar
0
shedspotter created

Hi,

product version = 9.0.1 product type = Angular product framework type = .net core 3.1

SecurityTokenExpiredException reported in Azure

Reviewing SQL activity, the DTU utilization is low

Reviewing application insights in Azure for the web app there are frequent exceptions raised around SecurityTokenExpiredException.

Digging into the transaction detail for one example, a 12.7 delay was caused by this exception consuming /api/TokenAuth/Authenticate

Simply refreshing the login page is one example where the exception is raised. timings can vary.

Logs: Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime (Microsoft.IdentityModel.Tokens, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at SSD.Web.Authentication.JwtBearer.SSDJwtSecurityTokenHandler.ValidateToken (SSD.Web.Core, Version=9.0.1.0, Culture=neutral, PublicKeyToken=null: D:\a\1\s\SSD\aspnet-core\src\SSD.Web.Core\Authentication\JwtBearer\SSDJwtSecurityTokenHandler.cs:42) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+<HandleAuthenticateAsync>d__6.MoveNext (Microsoft.AspNetCore.Authentication.JwtBearer, Version=3.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)

Thanks


14 Answer(s)
  • User Avatar
    0
    musa.demir created

    Hi @shedspotter

    That error is thrown by System.IdentityModel.Tokens.Jwt.ValidateToken method, (see:https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet). Refreshing your browser should not cause the error. Can you please check these:

    1. Check if your token lifetime is long enough.(https://github.com/aspnetzero/aspnet-zero-core/blob/2269967cc03e5c460e2d6c0833cb97feaa5d1fad/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Application.Shared/AppConsts.cs#L49)
    2. Check if your current token is really expired? (you can use https://jwt.io/)
    3. Check if your current token exists, if it exists store it. Then refresh your browser and check if they are equal.
  • User Avatar
    0
    shedspotter created

    Hi musa.demir,

    Thank you for the response

    step 1. it is same like shared link. step 2. the current token is not expired. step 3. after following the 3rd step the previous token and the new token after refreshing the browser has same expiration time

    Thanks

  • User Avatar
    0
    musa.demir created

    Hi @shedspotter

    Can you please share your token's exp field and the exact time you get the error(with timezone)? It might has timezone problem.

  • User Avatar
    0
    shedspotter created

    Hi @musa.demir

    Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6Ijk0IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImNzaGFoIiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiJXR0wyWEg1RFg1Sk9aWEFMU0FUM1Y0V1BUUURDSVJKRSIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6IkFkbWluIiwiaHR0cDovL3d3dy5hc3BuZXRib2lsZXJwbGF0ZS5jb20vaWRlbnRpdHkvY2xhaW1zL3RlbmFudElkIjoiMTAyIiwiaHR0cDovL3d3dy5hc3BuZXRib2lsZXJwbGF0ZS5jb20vaWRlbnRpdHkvY2xhaW1zL2ltcGVyc29uYXRvclVzZXJJZCI6IjEiLCJzdWIiOiI5NCIsImp0aSI6ImM1OTRmZDA1LWYyMTUtNDhhYy05ODYyLWVkZWE2ZjFlMzdjMSIsImlhdCI6MTYzNTMxMDkzNiwidG9rZW5fdmFsaWRpdHlfa2V5IjoiZmNjY2ZhNDktNWRjMi00ODYwLWE0OGQtMDdkY2I3YjUzNDBiIiwidXNlcl9pZGVudGlmaWVyIjoiOTRAMTAyIiwidG9rZW5fdHlwZSI6IjAiLCJuYmYiOjE2MzUzMTA5MzYsImV4cCI6MTYzNTM5NzMzNiwiaXNzIjoiU1NEIiwiYXVkIjoiU1NEIn0.M4VujdjiMq4QBVJ3EU2e_FtVdPwQNm1-ncqhdiRJcBc

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @shedspotter

    Did you get the same error with this token ? If so, could you share the exact time you get the error(with timezone)?

    Thanks,

  • User Avatar
    0
    shedspotter created

    Hi **@ismcagdas **

    TimeZone : UTC and I am not sure what is the actual exception token and it's very hard to replicate accordingly here is exception details

    Thanks

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @shedspotter

    Can you reproduce the problem ? If so, could you share your website URL and a test user account credentials with [email protected] ? If we can reproduce the problem, we can understand the real cause.

  • User Avatar
    0
    Ricavir created

    Hi,

    I'm also getting a lot of SecurityTokenExpiredException exceptions.

    We are having these exeptions with all tenants in the same timezone.

    These exceptions are happening mainly with following endpoints :

    • POST /api/TokenAuth/Authenticate
    • POST /signalr/negociate

    SecurityTokenExpiredException is sometimes followed by SecurityTokenInvalidSignatureException.

    Our app is having performance issues and we are tracking these exceptions on AppInsights.

    I don't know how to reproduce this and help you guys to find the issue...

    Please, tell me how can I help finding this issue ?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @ricavir

    Could you add a log to TokenAuth/Authenticate method to log the token and DateTime.UtcNow ? Then, share it with us for a request with this error ?

    Could oyu also share which version of AspNet Zero do you use ?

  • User Avatar
    0
    Ricavir created

    Hi @ismcagdas,

    I'm using Abp 6.4. I can add a log as you requested and come back to you after.

    While analysing this issue on my code, I found that CreateJwtClaims method uses CacheManager... And I just figured out that I'm having issues with CacheManager when my Azure AppService is running on multiple instance. For example, when running with 2 instances, I'm not able to switch user to different tenant accounts (like this https://support.aspnetzero.com/QA/Questions/9502/Switching-tenant-fails-in-mutiple-docker-container-instances-setup)

    Therefore, I'm wondering if all these issue are coming from cache management ? (Should I use Redis ?) What do you think ?

  • User Avatar
    0
    Ricavir created

    Hi @ismcagdas,

    Any news about my previous question for CacheManager ?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @ricavir

    Sorry, I just saw your question. If you are using more than one instance of your app, it is suggested to use Redis or a similar central cache system. Otherwise, each instance will keep its own memyr cache and there will be problems.

  • User Avatar
    0
    Ricavir created

    Hi @ismcagdas,

    Tks for your answer, I will implement redis then.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Thanks @ricavir

    @shedspotter did you make any progress on this ?